<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div th:replace="~{common/common::head}"></div>

<body>
<div class="layuimini-container">
    <div class="layuimini-main">
        <div class="layui-row layui-col-space15">
            <div class="layui-col-md12">
                <fieldset class="layui-elem-field layui-field-title">
                    <legend style="color: rgb(30 159 255)">SPEL - 表达式注入</legend>
                    <blockquote class="layui-elem-quote layui-quote-nm"
                                style="font-size: 15px;background-color: #a7deefab;box-shadow: 0 .125rem .25rem rgba(0, 0, 0, .075) !important">
                        <p>
                        <pre>  SPEL(Spring Expression Language)：SPEL是Spring表达式语言，允许在运行时动态查询和操作对象属性、调用方法等，类似于Struts2中的OGNL表达式。当参数未经过滤时，攻击者可以注入恶意的SPEL表达式，从而执行任意代码</pre>
                        <pre>  表达式语言/模板：表达式语言用于动态处理固定格式的内容，其中变量部分可以在运行时填入。模板可以将固定部分提取出来，方便模块化管理，动态填充变量内容</pre>
                        </p>
                    </blockquote>
                </fieldset>
            </div>
            <div class="layui-col-md12" style="margin-top: 10px">
                <div class="layui-row layui-col-space15">
                    <div class="layui-col-md6">
                        <h1 style="display: flex; justify-content: space-between; align-items: center;height: 33.5px">
                            <span class="iconfont icon-bug">  漏洞场景：原生漏洞场景</span>
                            <span class="iconfont icon-liuliang1">
                                <a href="/other/datapackage/spel/spel.pcapng" download="spel.pcapng"
                                   style="margin-right: 19px;color: #00bb00">流量分析</a>
                            </span>
                        </h1>

                        <div class="layui-tab layui-tab-brief">
                            <div class="layui-tab-content">

                                <div class="layui-tab-item layui-show">
                                    <blockquote class="layui-elem-quote main_btn">
                                        <form class="layui-form" style="display: flex; justify-content: space-between;">
                                            <input type="text" name="ex" style="width: 300px;" required
                                                   lay-verify="required" value="100-1" placeholder="spel表达式" autocomplete="off"
                                                   class="layui-input" id="vul-raw-input">
                                            <div style="display: flex; align-items: center;">
                                                <select class="layui-form-select" lay-filter="vul-raw-select">
                                                    <option value="">示例Payload</option>
                                                    <option value="100-1">探测SPEL注入</option>
                                                    <option value="T(java.lang.Runtime).getRuntime().exec(&#x27;open -a Calculator&#x27;)">
                                                        弹计算器-mac
                                                    </option>
                                                    <option value='T(java.lang.Runtime).getRuntime().exec(&#x27;calc.exe&#x27;)'>
                                                        弹计算器-win
                                                    </option>
                                                </select>
                                                <button class="layui-btn layui-btn-normal" style="width: 100px; margin-left: 10px;" lay-filter="vul-raw" lay-submit="">
                                                    <span class="iconfont icon-zhihang">Run</span>
                                                </button>
                                            </div>
                                        </form>
                                    </blockquote>
                                </div>

                                <div class="layui-col-md12">
                                    <div class="layui-card">
                                        <div class="layui-card-header"><i class="fa fa-bullhorn icon-tip"></i>tips</div>
                                        <div class="layui-card-body layui-text layadmin-text">
                                            <pre style="color: #28333e;font-size: 15px;">代码审计SINK点：
  1、SpelExpressionParser.parseExpression()
  2、Expression.getValue()</pre>
                                        </div>
                                    </div>
                                </div>

                                <div class="layui-col-md12">
                                    <div class="layui-card">
                                        <div class="layui-card-header"><i class="fa fa-warning icon-output"></i>测试结果</div>
                                        <div class="layui-card-body layui-text layadmin-text">
                                            <pre id="vul-raw-result" style="color: red;font-size: 15px;"></pre>
                                        </div>
                                    </div>
                                </div>


                            </div>
                        </div>
                    </div>

                    <div class="layui-col-md6">
                        <h1 style="display: flex; align-items: center; height: 33.5px;">
                            <span class="iconfont icon-code" style="height: 22.5px;">缺陷代码</span>
                        </h1>
                        <div class="m-auto div-shadow shadow p-3 mb-5 bg-white rounded">
                            <div class="code-editor" id="spelVul">
                            </div>
                        </div>
                    </div>

                </div>
            </div>


            <div class="layui-col-md12" style="margin-top: 10px">
                <div class="layui-row layui-col-space15">
                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-anquan"> 安全场景：使用SimpleEvaluationContext限制表达式功能</span></h1>
                        <div class="layui-tab layui-tab-brief">
                            <div class="layui-tab-content">

                                <div class="layui-tab-item layui-show">
                                    <blockquote class="layui-elem-quote main_btn">
                                        <form class="layui-form" style="display: flex; justify-content: space-between;">
                                            <input type="text" name="ex" style="width: 300px;" required
                                                   lay-verify="required" value="100-1" placeholder="spel表达式" autocomplete="off"
                                                   class="layui-input" id="safe-raw-input">
                                            <div style="display: flex; align-items: center;">
                                                <select class="layui-form-select" lay-filter="safe-raw-select">
                                                    <option value="">示例Payload</option>
                                                    <option value="100-1">探测SPEL注入</option>
                                                    <option value="T(java.lang.Runtime).getRuntime().exec(&#x27;open -a Calculator&#x27;)">
                                                        弹计算器-mac
                                                    </option>
                                                    <option value='T(java.lang.Runtime).getRuntime().exec(&#x27;calc.exe&#x27;)'>
                                                        弹计算器-win
                                                    </option>
                                                </select>
                                                <button class="layui-btn layui-btn-normal" style="width: 100px; margin-left: 10px;" lay-filter="safe-raw" lay-submit="">
                                                    <span class="iconfont icon-zhihang">Run</span>
                                                </button>
                                            </div>
                                        </form>
                                    </blockquote>
                                </div>

                                <div class="layui-col-md12">
                                    <div class="layui-card">
                                        <div class="layui-card-header"><i class="fa fa-bullhorn icon-tip"></i>tips</div>
                                        <div class="layui-card-body layui-text layadmin-text">
                                            <pre style="color: #28333e;font-size: 15px;">SimpleEvaluationContext不支持以下危险功能：
	Java 类型引用: 无法通过表达式引用Java类，从而防止调用静态方法
	构造函数调用: 不能通过表达式实例化新对象
	Bean 引用: 无法通过表达式访问Spring应用上下文中的bean</pre>
                                        </div>
                                    </div>
                                </div>

                                <div class="layui-col-md12">
                                    <div class="layui-card">
                                        <div class="layui-card-header"><i class="fa fa-warning icon-output-safe"></i>测试结果</div>
                                        <div class="layui-card-body layui-text layadmin-text">
                                            <pre id="safe-raw-result" style="color: red;font-size: 15px;"></pre>
                                        </div>
                                    </div>
                                </div>


                            </div>
                        </div>
                    </div>

                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-code">  安全代码</span></h1>
                        <div class="m-auto div-shadow shadow p-3 mb-5 bg-white rounded">
                            <div class="code-editor" id="spelSafe">
                            </div>
                        </div>
                    </div>

                </div>
            </div>


        </div>
    </div>
</div>
</div>

<div th:replace="~{common/common::script}"></div>
<script type="text/javascript">
    document.addEventListener("DOMContentLoaded", function () {

        layui.use(['layer', 'miniTab', 'common', 'form'], function () {
            var $ = layui.jquery,
                layer = layui.layer,
                miniTab = layui.miniTab,
                common = layui.common;
            miniTab.listen();
            layer.msg("SPEL - 表达式注入")

            common.formListenFun("vul-raw", "", "/spel/vul", "vul-raw-result", "get");
            common.selectListenFun("vul-raw-select", "vul-raw-input");

            common.formListenFun("safe-raw", "", "/spel/safe", "safe-raw-result", "get");
            common.selectListenFun("safe-raw-select", "safe-raw-input");

            var cmConfig = {
                lineNumbers: true,
                lineWrapping: false,
                indentUnit: 4,
                indentWithTabs: true,
                theme: 'juejin',
                styleActiveLine: {nonEmpty: true},
                fontSize: "18px",
                mode: "text/x-java"
            };

            var cmConfigSafe = {
                lineNumbers: true,
                lineWrapping: false,
                indentUnit: 4,
                indentWithTabs: true,
                theme: 'juejinsafe',
                styleActiveLine: {nonEmpty: true},
                fontSize: "18px",
                mode: "text/x-java"
            };

            CodeMirror(document.getElementById("spelVul"), Object.assign({}, cmConfig, {
                value: spelVul
            }));
            CodeMirror(document.getElementById("spelSafe"), Object.assign({}, cmConfigSafe, {
                value: spelSafe
            }));

        });
    });


</script>

</body>
</html>
